Australia’s global corporations should ensure their assurance processes are in order, following a spate of major fines imposed by the UK Financial Services Authority (FSA) on global financial firms, including Goldman Sachs and Zurich Insurance, for failing to adequately coordinate their cross-border risk management.
The Institute of Internal Auditors, Australia (IIA) recently sounded the warning, as global corporations have to deal with the complexities of multiple group entities with devolved reporting structures, operating in a myriad of countries and under different regulatory regimes.
“In this environment, the challenge for risk management is to ensure there is a group-wide approach to governance and risk that is consistently applied across all group members, no matter how small or ‘far flung’ the entity may be,” said the IIAs’ director of policy, Joe Garbutt.
“A vital ingredient is a strong group-wide internal audit function that reports to key decision-makers on whether the governance framework is working effectively. This may sound like common sense, but as the Zurich and Goldman Sachs incidents show, in practice it’s easy to slip up.”
The FSA recently fined Goldman Sachs’s UK arm £17.5 million ($28.5 million) for failing to meet its UK obligations to disclose that it was being investigated by the US Securities and Exchange Commission for alleged misleading statements made in connection with the marketing of certain derivatives.
In the Goldman Sachs case, Garbutt said several senior managers in London knew of the US SEC investigation but they failed to inform the UK compliance team so that they could report it to the FSA as they were bound to do.
Margaret Cole, managing director of enforcement and financial crime for the FSA said: “We have repeatedly stressed the importance of firms self-reporting regulatory issues to the FSA in a timely way.”
While Cole acknowledged that Goldman Sachs did not set out to hide anything, its defective systems and controls meant that the level and quality of its communications with the FSA fell far below what was expected.
The FSA also fined Zurich International’s UK branch £2.3 million ($3.7 million) for failing to have adequate systems in place to prevent the loss of confidential information pertaining to 46,000 customers including their identity details, bank account and credit card information.
Zurich UK had outsourced the processing of some of its customer data to a group company, Zurich South Africa, which had lost an unencrypted back-up tape during a routine transfer to a data storage centre. Zurich UK did not become aware of the data loss until it was uncovered a year later following an internal privacy audit.
“Zurich UK let its customers down badly,” said Cole. “It failed to oversee the outsourcing arrangement effectively and did not have full control over the data being processed by Zurich SA. To make matters worse, Zurich UK was oblivious to the data loss incident until a year later.”
Firms across the financial sector would do well to look at the details of this case and learn from the mistakes that Zurich UK made, Cole added.
In both these cases, Garbutt said a group-wide internal audit review could have detected the significant problems in intra-group communication that led to Goldman Sachs’ failure to manage its cross border regulatory risks and Zurich’s neglect in handling its offshore group outsourcing arrangements.
“Establishing sound policies and procedures on matters like breach reporting and outsourcing is critical, but not enough,” said Garbutt, who recommended that companies take extra steps to ensure these requirements are actually being applied and are being reflected in the day-to-day practices of all relevant group members.
Australian banks are required under APRA’s prudential standards to have an internal audit function, in the same way that the FSA expects UK-based banks to have one, Garbutt noted. Yet, with the complexities of global risk management continuing to catch out many seemingly sophisticated firms, he said there was clearly no room for complacency.
“The lesson for Australia’s global corporations is that a robust risk assurance process is an absolute necessity,” he said.
“This means continuing to support a vigilant group-wide internal audit function that applies the IIA’s consistent and internationally recognised internal audit standards, and that reports to the board with a rigorous and independent view on whether risks within the global business are under control.”
Cross-border risks to watch
- Are group policies and procedures such as those regarding OHS or fraud and corruption, consistently applied throughout all entities within the group, and is adherence to such policies regularly monitored?
- Are offshore outsourcing arrangements governed by contracts or policies that prescribe appropriate standards, and are such arrangements regularly monitored for adherence to such policies or contractual requirements? Do outsourcing contracts allow the company’s internal auditor to have access to the contractor for the purpose of reviewing the contractor’s compliance with the company’s requirements?
- Do the group’s privacy and IT security policies have regard to jurisdiction-specific risks that sensitive data may be illegally accessed for financial crime?
- Is there a consistent and robust compliance breach reporting system so that if a breach emerges in one jurisdiction, it will be reported in a prompt manner to any other jurisdiction that needs to know?
- Does the company’s compliance function assist the internal audit team through training or briefings to better understand the group’s regulatory obligations, so that the internal auditors can conduct more effective reviews of whether regulatory risks are well-managed?
